Thursday, November 28, 2013

Resource Management : Tcp Dump

Analyzing network details is very important for a system admin. As a application server admin there are cases where I need to analyze the network details in order find the reasons for the slow performance.

Tcp Dump in Linux machines is a very use full network packet analyzer. It comes in many flavors of Linux systems.

The tcpdump command should be issued as a root user or we need to make sure to have sufficient privilileges on a network device or a socket. The tcpdump command allows to save packet information to a file and can also read file likes these. The data saved using the tcp-dump command can also be read by tools like wire-shark.

In this article we will see some of the basic uses of tcpdump and how to use the command. Since the output of the command cane be large some time I will just give the commands.

1. Basic usage
[root@vx111a ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:46:17.437843 IP > UDP, length 22
17:46:17.438254 IP > 22161+ PTR? (42)
17:46:17.448783 IP > NBT UDP PACKET(138)
17:46:17.457622 IP > 22161 NXDomain 0/1/0 (99)
17:46:17.457781 IP > 34469+ PTR? (45)
17:46:17.538052 IP > UDP, length 22
17:46:17.624315 IP > UDP, length 22

7 packets captured
48 packets received by filter
11 packets dropped by kernel

We need to kill the process for the capturing to stop.

2. Find out the Interface
[root@vx111a ~]# tcpdump -D
3.usbmon1 (USB bus number 1)
4.usbmon2 (USB bus number 2)
5.any (Pseudo-device that captures on all interfaces)

3. Capture packet Data for a Interface
[root@vx111a ~]# tcpdump -i eth0

4. Capture N number of packets on a Interface
[root@vx111a ~]# tcpdump -c 2 -i eth0

5. Capture Packets for host
[root@vx111a ~]# tcpdump host
6. Capture packets for a Specific Protocol
[root@vx111a ~]# tcpdump udp

7. Capture packets for a Specific Port
[root@vx111a ~]# tcpdump port http

8. Write packet Information to a File
[root@vx111a ~]# tcpdump -w hello.pcap -i eth0

9. Read packet Information From a File
[root@vx111a ~]# tcpdump -tttt -r hello.pcap

10.Read Packets greater than specific Bytes
tcpdump -w hello.pcap greater 1024

11.Read Packets lesser than specific Bytes
tcpdump -w hello.pcap less 1024

12. Receive packets flows on a particular port using tcpdump port
tcpdump -i eth0 port 22

13. Capture packets for particular destination IP and Port
tcpdump -w hello.pcap -i eth0 dst and port 22

14. Capture TCP communication packets between two hosts
tcpdump -w hello.pcap -i eth0 dst and port 22

15.packet capture by tcpdump with file rotation
tcpdump -w /var/log/capture -C 10
First, tcpdump write to 1st file /var/log/capture file until file size become 10,000,000 bytes.
When tcpdump capture a packet and find size of /var/log/capture file has reached 10,000,000 bytes, tcpdump create next generation file var/log/capture1 file and continue writing.

More To Come , Happy Learning J